LOGO

A Framework of Remote Biometric Authentication on the Open

Network
From GM Labs

Copyright 2005,2006 Institute of System & Information Technologies/ KYUSHU All rights reserved.

Agenda
Background Our Goal Certificate based framework of biometric authentication One-time Biometrics Conclusion

3/20/2012

Institute of Systems & Information Technologies/ KYUSHU

Background
Biometric authentication is remarkable!
Based on Physical and behavioral Characteristics
Fingerprint, Iris, Facial image, Voice, Pattern of vein Etc

3/20/2012

Institute of Systems & Information Technologies/ KYUSHU

Background
Biometric authentication is remarkable!
Biometric systems are applied to many services.
E-passports Bank Monitoring entrance Etc.

3/20/2012

Institute of Systems & Information Technologies/ KYUSHU

Background
On the other hands, We need secure and reliable authentication systems for many E-Services! Biometrics is one of the candidates. However, if we apply biometrics to E-services, Biometrics has some weak points!
Easy to obtain Secondary information

Sex, History of illness, etc.

When enrolled data is compromised, We are not able to re-enroll spare data.

Irreplaceable

SERIOUS PRIVACY ISSUES

3/20/2012 Institute of Systems & Information Technologies/ KYUSHU

Our Goal
Reliable authentication on the open networks by using Biometrics
Viewpoints:
1. Certificate based framework
What do we require framework for reliable biometric authentication system?

2. One-time biometrics
How do we construct secure remote biometric authentication systems? even though biometric authentication data is compromised.

3/20/2012

Institute of Systems & Information Technologies/ KYUSHU

Certificate-based framework
Public Key Infrastructure (PKI) with Biometrics
Currently, this area aims to International Standardization Ikeda et al.s (Toshiba Solution) proposal ISO/IEC JTC1/SC27/WG2

Verification of Biometric Authentication Environment Isobe et al.s (Hitachi) proposal ITU-T SG17/Q8

Bio-PKI with Template Format

The above proposals have privacy issues:

It is easy for anyone to get relationship

between the biometric data and its ownership

3/20/2012 Institute of Systems & Information Technologies/ KYUSHU

Certificate-based framework
Assurance of anonymity in the Biometric Authentication by using Personal Repository
Owner (User)
RELATION

Personal Repository

RELATION

Enrolled Templates

Ownership Certificate

Template Certificate

Certificate Authority for Users Personal Repository

Certificate Authority for Template Data

Legitimate user or legitimate server can verify these relationships

so that Adversaries obtain no information of above.
3/20/2012 Institute of Systems & Information Technologies/ KYUSHU

Certificate-based framework
A Framework of verification of ownership of PR by VA
Assumption: CA issuing ownership certificate of PR, Trusted VA
Certificate Authority for Users Personal Repository Personal Repository Biometrics Device Verification Authority for Users Personal Repository

Client (User)

Internet

Application Server

Certificate Authority for Public Key Certificate Authority for Template Data Certificate Authority for Authentication Institute of Environment Systems & Information
Technologies/ KYUSHU

3/20/2012

Certificate-based framework
Argument of Security
Abovementioned framework
Biometric Authentication verifies personal repository is used by legitimate user.
In application server, user is anonymity.

Identity of User and holder Only VA can verifies it. Application Server receives only information of the identity as verification result from VA. If user colludes with VA, this framework will not be secure.

Personal Repository requires following assumptions.

Anti-tampered resistance Calculation power for generation and verification of digital signature

3/20/2012

Institute of Systems & Information Technologies/ KYUSHU

10

One-time Biometrics
Now, I am investigating.
But, I presented this topic at Symposium of Cryptography & Information Security 2006 in Japan

Today, I will talk only basic idea.

On the internet, communication data can be obtained! Whenever authentication data is compromised, the authentication system must react to the compromise. In order to achieve the above concept, the authentication system can generate data which has one-time characteristics like one-time password.

3/20/2012

Institute of Systems & Information Technologies/ KYUSHU

One-time Biometrics
We propose One-Time Transform (OTT)
OTT: Different transform every authentication session OTT is shared by a client and a storage of template OTT is applied to extracted features and corresponding enrolled templates Transformed data is used in matching process.

3/20/2012

Institute of Systems & Information Technologies/ KYUSHU 12

One-time Biometrics
An illustration of One-Time Transform
Candidate of OTT: Recursive non-linear transform
Y axis Chaos transforms, Iterated Function Systems

: transformed points by OTT on time t1, and session number a1

: transformed points by OTT on time t2, and session number a2 (t1t2)

the feature or the template in matching process

Coordinate of one of the features or the templates
3/20/2012 O Institute of Systems & Information X Technologies/ KYUSHU

the feature or the template in matching process axis

One-time Biometrics
We propose One-Time Transform (OTT)
OTT: Different transform every authentication session OTT is shared by a client and a storage of template OTT is applied to extracted features and corresponding enrolled templates Transformed data is used in matching process.

Requirements of the OTTs

It is difficult for any adversaries to calculate the original features and templates from the transformed ones. There are optimal distance functions for evaluating matching score from the transformed data. No adversary extracts the original features & templates from OTTs used in past authentication.
3/20/2012 Institute of Systems & Information Technologies/ KYUSHU 14

One-time Biometrics
Framework of biometrics with One-Time Transforms
Including Function Generator which constructs OTTs Expectation: It is easy to implement One-Time Biometrics by UPDATING SOFTWARE from conventional systems. Time Stamp Server Time Stamping Function Generator Construction of OTTs Storage of Templates

Application of OTT

Client
Acquisition Feature Extraction Application 3/20/2012 of OTT

Authentication Server Matching Decision

Institute of Systems & Information Technologies/ KYUSHU

One-time Biometrics
Argument of Security
Assumption: assurance of security of OTT Hill-climbing attack: DIFFICULT
According to OTT, distance function and threshold are varied.

Replay attack: DIFFICULT

Case 1: Adversaries listen communication between Client and Server Transformed data is changeable in every authentication. Case 2: Adversaries listen communication form Function Generator. When the adversaries use past OTT, Client and Storage can easily detect it.

Collusion attack: FEASIBLE?

Case 1: Client colludes with Function Generator. Case 2: Server colludes with Function Generator
3/20/2012 Institute of Systems & Information Technologies/ KYUSHU

Conclusion
Certificate-based Framework:
We propose the Framework of Biometric authentication on Open networks
Establishment of Verification Authority Assurance of users anonymity against Application Server Reduce of possibility of compromising personal information

One-Time Biometrics:
We propose the One-Time Transform which is different every authentication session.
Resistance against Hill-Climbing Attack, Replay Attack.

Future Works
In fact, there are too many points
3/20/2012 Institute of Systems & Information Technologies/ KYUSHU

Thank you for your attention

3/20/2012

Institute of Systems & Information Technologies/ KYUSHU